Software Release 2.3.1 23
Software Release 2.3.1
C613-10325-00 REV B
per line. Options are supplied after the entry and a colon. Each option is
separated by a space.
The option keywords that are allowed for each entry are “allow” and
“nocookies”. The “allow” option will explicitly allow the URL, or part of the
URL, given on the line. This is useful for exceptions to a deny filter or a given
keyword. The “nocookies” option specifies that the proxy should not accept
cookie requests from the domain or URL given, and implicitly allows the URL.
Comments may be placed in the file using a
#
character on the beginning of the
line. White space before and after an entry does not affect the parsing of the file
but there must be white space between the URL and colon for the options.
After the colon, white space is not needed but there must be white space
between each option specified. Empty lines are also allowed. Note that all URL
entries without options are considered to be denied.
How specific the URLs are determines the order of precedence of the entries in
the file. For example,
www.plant.com/this/is/a/url/grow.html
would
have more precedence than a entry containing
www.plant.com/this
. Also, if
the allow option is specified it will have greater precedence than a similar entry
with deny. Finally, keywords in the file have the least precedence. They are
only applied to sections of the URL not part of the closest fitting URL entry.
Figure 6 contains an example of a URL filter file.
In order to edit the contents of the list generated from the HTTP filter file held
in the firewall policy, it must be deleted from the firewall policy (using the
DELETE FIREWALL POLICY HTTPFILTER command), edited and then added
to the firewall policy again. Alternatively, the file may be edited. Optionally,
restarting the device will reload the filter file. Editing alone does not alter the
configuration held in the policy. No more than 5 URL filter files may be
attached to a policy at one time.
The DIRECTION parameter specifies the direction of HTTP sessions to which
the filter is to be applied. If IN is specified the filter will apply to HTTP requests
that originate on the public side of the firewall (inbound). If OUT is specified
the filter will apply to HTTP requests that originate on the private side of the
firewall (outbound). The default value is OUT.
URL filters will have no effect unless the specified policy also has an HTTP proxy
configured with a direction that matches the direction specified for the URL filter.
For example, to add the contents of the file
banned.htp
to the HTTP filter of
firewall policy zone1 for filtering outbound HTTP sessions, use the command:
ADD FIREWALL POLICY=zone1 HTTPFILTER=banned.htp